I got Heap Inspection vulnerability issue in a security report when converting a SecureString password to string and then validate by the MembershipProvider function. I know that I should use char[] to handle password instead of string. But how can I pass char[] into the build-in function to avoid the issue?
public static string SecureStringToString(SecureString ss)
{
return Marshal.PtrToStringUni(Marshal.SecureStringToGlobalAllocUnicode(ss)); //<---Heap Inspection issue
}
...
Membership.ValidateUser(UserName, SecureStringToString(pwd));
2
Answers
Microsoft recommend that you don’t use SecureString for any new development. See Remarks here:
https://learn.microsoft.com/en-us/dotnet/api/system.security.securestring?view=net-6.0
and linked GitHub advice here:
https://github.com/dotnet/platform-compat/blob/master/docs/DE0001.md
To answer your actual question (examples in the link above). You are expected to build the secure string character by character as the credentials are entered. Passing a (complete) char array isn’t much different from passing a string.
You can’t.
Membership.ValidateUserdoes not have an overload accepting a SecureString. Why? We don’t know. Maybe the ASP.NET Membership framework was not designed for high-security systems where hardening code against heap inspection is a business requirement.Thus, you only have two options:
Use a different (custom-built) user validation method or
accept the fact that the password will linger around on the heap for some time.